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Critical infrastructure networks are a key ingredient of modern society. We discuss a general 
method to spot the critical components of a critical infrastructure network, i.e. the nodes and the 
links fundamental to the perfect functioning of the network. Such nodes, and not the most connected 
ones, are the targets to protect from terrorist attacks. The method, used as an improvement analysis, 
can also help to better shape a planned expansion of the network. 
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The attacks of September 11 2001 have raised in all 
its urgency the problem of protecting critical infrastruc- 
tures from terrorist attacks. The US President's Com- 
mission on Critical Infrastructures Protection has de- 
fined five different categories of critical infrastructures: 
1) information-communication, 2) banking and finance, 
3) energy (e.g. electric, oil, gas), 4) physical distribu- 
tion (including transportation), 5) vital human services 
(including water supply). In this paper we propose a 
general method to find the critical components of a criti- 
cal infrastructure network ■ By critical components we 
mean the nodes and the edges crucial to the best func- 
tioning of the network, and therefore the strategic points 
of the network to improve or to protect from terrorist 
attacks. Recently, attacks on artificially generated ran- 
dom and scale- free topologies and on real-world networks 
have been studied intensively. In the literature appeared 
so far the attacks were simulated as the deliberate re- 
moval either of nodes [1 S H H or of links H i, 
of the network. The rationale of our method is different 
from the previous ones: instead of sorting and removing 
the nodes in descending order of degree d, ^ IE Hi or be- 
tweenness [IJSH, and the edges in descending order of 
betweennes or range , we measure the importance 
of an element of the network by the drop in the network's 
performance caused by the deactivation of that element. 
In practice we check for the redundancy of an element 
by calculating the performance of the perturbed network 
and comparing it with the original one. The element can 
be a single node or edge, or a group of nodes and edges if 
we want to simulate multiple attacks. In this way we de- 
fine the vulnerability of the network under a given class 
of attacks and we produce a list of the points of the net- 
work that should be the first concern of any policy of 
protection from terrorist attacks. Analogously, we mea- 
sure the importance of an improvement by the increase in 
the network's performance caused by such improvement. 
The paper is organized as follows: we first present the 



general framework to define critical damages, critical im- 
provements, structural vulnerability and improvability of 
a critical infrastructure. We then show how the method 
works in practice on some examples of communication 
and transportation critical infrastructures. 

We assume that a generic critical infrastructure S is 
char act erized_by a single variable ^[S] > 0, the perfor- 
mance oiS 10]. The definition and quantitative analysis 
of the critical components of S, we propose in this paper, 
uses, as reference observable, variations in the perfor- 
mance A$. We consider separately the study of damages 
and of improvements. 

Attacks analysis. Let us indicate hy D a set of 
possible damages on the infrastructure S, and with 
DAMAGE{S, d) a map that gives the infrastructure re- 
sulting from S after the damage d ^ D. We mea- 
sure the importance of the damage d by the relative 
drop in performance A$^/$, with A(f>^ = $[5'] — 
'^[DAMAGE{S,d)] > 0, caused by d. In particular, the 
critical damage d* G I? is the damage of D that minimizes 
<i>[DAMAGE{S, d)]. The vulnerability V of S under the 
class of damages D can be defined as: 



V[S,D] = 



<S>[S]-W[S, D] 



(1) 



where W[S,D] = ^DAMAGE{S,d*)] is the worst per- 
formance of S under the class of damages D. The vul- 
nerability y[S', D] is defined in the range [0,1]. 

Improvements analysis. We now turn our at- 
tention into how to improve an existing infrastructure 
[ill] . Various improvements can be added to 5, so 
given a set of improvements / we define, for any im- 
provement i E I, the map IMPROVE{S, i) that gives 
the resulting infrastructure obtained after the improve- 
ment i. We measure the importance of i as the rela- 
tive increase in the performance IS.^^ with A$+ — 
<^[IMPROVE{S,i)] - $[5"], caused by i. In particular 
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we define the critical improvement i* as the best possible 
improvement in J, i.e. the improvement of / that maxi- 
mizes ^[I M PROV E{S, i)]. Then, the improvability IM 
of S under the class of improvements / can be defined as: 



IM[S,I] = 



(2) 



where B[S, I] = <^[IMPROVE{S, i*)] is the best perfor- 
mance of S under the class of improvements /. 

As a practical application of the method we consider 
communication-information (as the Internet |l2j|') and 
transportation infrastructure networks. We represent the 
infrastructure network S" as a valued 13] undirected [l^ 
graph with N nodes (for instance the routers in the In- 
ternet, or the stations in a railway transportation sys- 
tem) and K links (the cables connecting two routers, 
or the lines connecting couples of stations). S is de- 
scribed by the N x N adjacency matrix {hj}. If there 
is a link between node i and node j, the entry lij is a 
positive number measuring the link latency, otherwise 
lij = +00. For instance, in the Internet (in the rail- 
way system) the larger l^j is, the longer it takes for a 
unitary packet of information (a train) to go along the 
link from i to j. We have now different ways to mea- 
sure the performance of S. In this paper we identify the 
performance of S with the efficiency of the network i.e. 
we assume: <^[S] = E[S] = ^^)J2^^jeS ^l^ere 
dij is the smallest sum of the links latency throughout 
all the possible paths in the graph from a node i to a 
node j (in the particular case of unvalued graphs dij re- 
duces to the minimum number of links traversed to get 
from i to j). The efficiency is a quantity recently intro- 
duced in refs.^3 to measure how efficiently the nodes of 
the network communicate if they exchange information 
in parallel. A second possibility is to assume the perfor- 
mance $ [S] to be equal to the inverse of the characteristic 



path length L 



N(N 



[T1[T|. An alter- 
native possibility to avoid the shortest path assumption 
on which both E and L rely, is to identify ^[S] with the 
mean flow-rate of information over S [l7| . 

Ca*net3 We show how the method works in prac- 
tice by considering the Ca*net3 IS-IS routing network 
|18| represented in fig.l, a simple example of an Internet 
backbone, consisting of two main routes, OC-12 and OC- 
48, N = 13 routers and K ^ 14 links. As the backbone 
has diverse routes of different bandwidths, the preferred 
path between any two routers is the path which presents 
the least amount of latency under normal router load 
conditions. We consider three different classes (sets) of 
damages D: the damage of a single cable connection, 
of a single Internet router, and of a couple of routers. 
DAMAGE{S, d) is the network we obtain from S after 
the deactivation of the damaged component (respectively 
the damaged link, node or couple of nodes). The dam- 
age of single links allows to investigate the finer effects 
on the network, since the damage of a node implies the 
damage of a number of links equal to the node's degree. 




FIG. 1: Ca*net3 IS-IS routing network. The numbers re- 
ported are a measure of the latency associated to each link 



The entity of the damage d is given by the relative drop 
in the efficiency A<I>^/$[S'] caused by d. 
As class of improvements / we consider the effect of 
adding a new link_(the addition of groups of links will 
be considered in jia|). IMPROVE{S,i) is the network 
we obtain from S after the addition of the new link. 
The results shown in table HI indicate that the connec- 
tion Winnipeg2-Winnipegl is by far the most important 
one since it is crucial for the correct interplay of the OC- 
12 and OC-48 routes. The routers Winnipegl and Win- 
nipeg2 are respectively the first and the second in the 
list of the most important nodes. Conversely when two 
nodes are removed at once, the couple Winninipegl -I- 
Montreal produces a larger effect than the couple Win- 
nipegl + Winnipeg2 which is only the tenth in the list 
(not in table) with A$"/<I> = 0.570. Concerning the 
improvement analysis, the best links to add are long ca- 
bles bridging two different parts of the network, as for 
instance Toronto-NYC or Winnipegl-Toronto. 

Infonet As a second example we study the Internet 
backbone of Infonet poj. as of September 2001. The net- 
work of Infonet has TV = 94 nodes and K = 96 cable 
connections and carries about the 10% of the traffic over 
US and Europe. It consists of two main parts, the US and 
the European backbone respectively with A^i — 66 and 
N2 — 28 nodes, connected by three overseas cables. In 
tableniwe consider the same classes of damages and im- 
provements as in the previous example. The vulnerability 
of Infonet under single link damages is = 0.379, with 
NYC-New Jersey being the critical link damage. Such a 
link plays in the network a role similar to red bonds in 
percolation 0|. In fact the removal of such a link will 
result in a break up of the network into two disconnected 
parts of about the same size, with a decrease of the 38% in 
the performance of the network. Notice that the second 
highest link damage produces only a drop of 23% in the 
performance. Other important links are those connecting 
New- Jersey with Chicago, with San Jose and with Dal- 
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TABLE I: Attacks and improvement analysis of Ca*net3. For 
each class of damage/improvement considered (see text) we 
report the cases having the highest effects on the performance 
of the network. Rank and name of the damaged link (node, 
or couple of nodes, respectively) and of the added link are 
listed in the first two columns. The relative drop or increase 
of the efficiency is in the third column. 





Damaged link 




1 


Winnipeg2 - Winnipegl 


0.358 


2 


Ottawa - Montreal 


0.146 


3 


Montreal - Fredericton 


0.123 


4 


Seattle - Vancouver 


0.098 




Damaged node 


A<3>"/$ 


1 


Winnipegl 


0.466 


2 


Winnipeg2 


0.408 


3 


Montreal 


0.317 


4 


Ottawa 


0.220 




Damaged couple of nodes 


LAW I 


1 


Winnipegl + Montreal 


0.792 


2 


Winnipegl + Ottawa 


0.723 


3 


Winnipeg2 + Montreal 


0.702 


4 


Winnipeg2 + Ottawa 


0.700 


5 


Winnipeg2 + Toronto 


0.633 




Added Link 


A$+/$ 


1 


Toronto - NYC 


0.01237 


2 


Ottawa - NYC 


0.00770 


3 


Winnipegl - Toronto 


0.00587 


4 


Fredericton - NYC 


0.00546 


5 


Winnipeg2 - Toronto 


0.00514 


6 


Seattle - Calgary 


0.00508 



las, and some links in the east cost as NYC- Washington 
and Washington-Atlanta. The links in table, ordered ac- 
cording to A<i>~/$, have also a decreasing betweenness 
&, another measure of link centrality ^3 defined as the 
number of times the link is in the shortest paths connect- 
ing couples of nodes Nevertheless, the correlation be- 
tween A$/~$ and h is not perfect: for instance the link 
NYC- Amsterdam, with the second highest betweenness, 
ranks only 14th according to A<i>~/$. The vulnerabil- 
ity under damages of single nodes (couples of nodes) is 
V = 0.573 iy = 0.723). New Jersey and NYC are by 
far the two most important nodes: the damage of either 
one would disconnect the US from the European back- 
bone, reducing by more than 50% the performance of the 
network. The damage of both nodes at once reduces by 
more than 70% the netwo rk p erformance. The damage 
analysis of other networks [23 shows that the link NYC- 
New Jersey and the nodes NYC and New Jersey play 
an important role also in other Internet backbone maps. 
Such result might explain the significant drop in perfor- 
mance, marked by increased packet loss and difhcult in 
reaching some Web Sites (in particular in the connection 
from US to Europe), experienced by the Internet in the 
aftermath of the 11 September terrorist attacks. In fact 
the stress the US Internet infrastructure was subjected to 
was the greatest encountered over its 32-year history and 
was probably related to the damages of Internet routers 



TABLE II: Attacks and improvement analysis of Infonet 2001 
f20|. as of September 2001. Same as in table |I] In the last 
column we report the betweenness h of the removed edge, the 
degree k of the removed node, and the sums of the degrees of 
the two removed nodes. 
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INYC-New Jersey 
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Damaged couple of nodes 




ki + k2 


i 


IN I + -LN ew J ersey 


A 7'9Q 

U. / Zo 


1 / 


o 


New Jersey H- Amsterdam 


A 'T'l A 


1 Q 


Q 
O 


New Jersey -h Atlanta 


A THT 


9Q 


A 


New Jersey -h Prankfurt 


U.Doy 


9n 
zu 





IN 1 -j- L^nicago 


A (^cp; 
U.ooo 


9/1 
Z4 


D 


New Jersey ~\- W^ashington 
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Added Link 






\ 








2 


Chicago- Atlanta 


0.0481 




3 


NYC-Atlanta 


0.0437 




4 


San Jose-Atlanta 


0.0395 




5 


Dallas- At lant a 


0.0341 




6 


Chicago- Amsterdam 


0.0339 




7 


N Jersey-Amsterdam 


0.0329 




8 


NYC-Chicago 


0.0326 




9 


Atlanta-Amsterdam 


0.0318 




10 


Chicago- Frankfurt 


0.0316 




11 


Atlanta- Frankfurt 


0.0296 





and cables in the south of NYC "2^ . 
The comparison of our measure with the node degree k 
|13| i.e. with the number of links incident with the node, 
(see tab^ shows that the damage of the most connected 
nodes, the hubs is not always the worst damage. In 
fact, the damage of Chicago, the node with the highest 
k, produces only a drop of 28% in the performance of 
the network, while the damage of Chicago and Atlanta, 
the couple with the highest number of links (29) gives 
A$-/$ = 0.476 (the 187th damage in the list). This 
has deep consequences on the best strategy to adopt in 
a protection policy. In fact, a node with a large degree is 
immediately recognized as a major channel of communi- 
cation, bein g ve ry visible since in direct contact to many 
other nodes On the other hand, Infonet is a typical 
example in which the crucial components, i.e. the nodes 
to protect from the attacks, are not the hubs, but less 
visible and apparently minor nodes. 
Our results imply either an intense policy of protection 
of the critical links/nodes from attacks, or a strategic ex- 
pansion of the network with the addition of new links |3] • 
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TABLE III: Attacks and Improvement analysis of the MBTA. 
Same as in table |I] The letters in parenthesis indicate the 
line/lines the stations belong to: R=red, G=green, Gs=green 
B, Gc=green C, 0=orange, B=blue. 





Damaged link 




1 


Park Street(RG)- Boylstone(G) 


0.275 


2 


Boylstone(G) - Arlington(G) 


0.270 


3 


Arlington(G) - Copley(G) 


0.270 


4 


Copley(G) - Hynes(G) 


0.256 


5 


Ilynes(G) - Kenmore(G) 


0.255 


6 


Kenmore(G) - Blandior(G) 


0.185 




Damaged node 


A$"/$ 


1 


Kenmore(G) 


0.343 


2 


Copley(G) 


0.333 


3 


Park Street(RG) 


0.331 


4 


Boylstone(G) 


0.285 


5 


Arhngton(G) 


0.281 


6 


Hynes(G) 


0.266 




Damaged couple of nodes 


A<I>~/$ 


1 


Down. Cross. (HO) + Kenmore(G) 


0.508 


2 


Park Street(RG) + Kenmore(G) 


0.495 


Q 
O 


uown. oross. i^iiLJ J ~\- L^opieyt^Vjrj 


U.4D0 


4 


Boylstone(G) + Kenmore(G) 


0.444 




Added Link 


A<I>+/$ 


1 


Mount Hood(Gs)- Dean (Go) 


0.0390 


2 


Mount Hood(Gs)- Tappan(Gc) 


0.0370 


3 


Washington(G_B)- Tappan(Gc) 


0.0369 


4 


Washington(Gs)- Dean (Go) 


0.0368 


5 


Sutherland(Gs)- Englewood(Gc) 


0.0360 


6 


Mount IIood(Gs)- Englewood(Gc) 


0.0357 


7 


Sutherland(Gs)- Dean (Gc) 


0.0355 



We now investigate the best strategies to increase the per- 
formance of the network by the addition of a new link. 
The improvabiUty of S under such a class of improve- 



ments is / = 0.052. In the highest positions we find two 
different classes of links: links connecting two IP pres- 
ences in the US, and links connecting US and Europe 
as Chicago- Amsterdam, NJersey-Amsterdam, Atlanta- 
Amsterdam, Chicago- Frankfurt and Atlanta- Frankfurt. 
A new link between Us and Europen, namely the link 
Washington-Geneva, was in fact planned in the expan- 
sion of Infonet 2001. Our method predicts that the in- 
clusion of such a link increases by 2.5% the network per- 
formance. 

MBTA As a final example we cosider a transportation 
system, the Boston subway, consisting of four lines, N — 
124 stations and K = 125 tunnels |2J|. Here the links 
latency has been taken to be proportional to the time it 
takes to go from a station to the next one. The results of 
the analysis are in table IIIll The vulnerability V is equal 
to 0.275,0.343,0.508, respectively for damages of single 
links, single nodes or couples of nodes. The critical link 
is Park Street - Boylstone. / is equal to 0.0390 with best 
links to be added those connecting stations on the green 
line B with stations on the green line C. 

Summing up, in this paper we have proposed a new 
general method to spot the critical components of a crit- 
ical infrastructure system. With this method we are able 
to identify the points of a network that are crucial to 
the functioning of the infrastructure network, i.e. those 
nodes and connections whose protection from terrorist at- 
tacks must be assumed as the first concern of any national 
policy. The method, used as an improvement analysis, 
can also help to better shape an expansion of the net- 
work. Other classes of critical infrastructure systems are 
curreiitly under study and will be presented in a future 
work [la. 
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